Transition from 8-byte to 11-byte instruction lengths for local variables
Notice these C++ local variable instruction lengths are 8-bytes within the red box
48 c7 45 f8 00 00 00 00
...
However, the instruction lengths are 11-bytes within the green box
48 c7 85 78 ff ff ff 00 00 00 00
...
https://godbolt.org/z/bTsxx63rT
Background
I was working on some shellcode that required patching API addresses but noticed errors because the local variable instructions lengths jumped from 8 to 11 bytes. Anyhow, thru trial and error, to enforce all the instructions to be 11 bytes, I added a local array
char enforce_mov_long_form[128];
to avoid accessing locals in the range [rbp-0x8] to [rbp-0x80]
DWORD WINAPI shellcode_start(void)
{
char enforce_mov_long_form[128];
// ------------------------------------------------------------
QWORD start_shellcode = 0xAAAAAAAAAAAAAAAA;
DWORD sizeofshellcode = 0xAAAAAAAA;
QWORD start_shellcode_injector = 0xAAAAAAAAAAAAAAAA;
DWORD pid_injector = 0xAAAAAAAA;
QWORD WinExec = 0xAAAAAAAAAAAAAAAA;
QWORD Sleep = 0xAAAAAAAAAAAAAAAA;
QWORD CreateToolhelp32Snapshot = 0xAAAAAAAAAAAAAAAA;
QWORD Process32First = 0xAAAAAAAAAAAAAAAA;
QWORD Process32Next = 0xAAAAAAAAAAAAAAAA;
QWORD CloseHandle = 0xAAAAAAAAAAAAAAAA;
QWORD OpenProcess = 0xAAAAAAAAAAAAAAAA;
QWORD VirtualAllocEx = 0xAAAAAAAAAAAAAAAA;
QWORD VirtualFreeEx = 0xAAAAAAAAAAAAAAAA;
QWORD WriteProcessMemory = 0xAAAAAAAAAAAAAAAA;
QWORD CreateRemoteThread = 0xAAAAAAAAAAAAAAAA;
QWORD CompareStringA = 0xAAAAAAAAAAAAAAAA;
QWORD GetCurrentProcessId = 0xAAAAAAAAAAAAAAAA;
// ------------------------------------------------------------
Questions
Why is there a sudden transition from 8-byte to 11-byte instruction lengths for local variables?
Are there any micro optimizations gained by confining local variables within [rbp-0x8] to [rbp-0x80]?
Promoting comments to answer:
x86-64 addressing modes encode the displacement as either a signed 8-bit (1 byte) or signed 32-bit (4 bytes) value, which in either case is sign-extended to 64 bits. Since the range of a signed 8-bit integer is [-128..127] or [-0x80..0x7f], displacements outside this range must use the 32-bit form instead, making the instruction three bytes longer.
For more on how addressing modes are encoded, see https://wiki.osdev.org/X86-64_Instruction_Encoding and Referencing the contents of a memory location. (x86 addressing modes).
- C typedef name conflict
- How to use 32-bit pointers in 64-bit application?
- problems with scanf input stream
- Is it guaranteed to be safe to perform memcpy(0,0,0)?
- Need help understanding pointer to a type of n elements in C (int (*p)[10])?
- Local variables performance vs global in example
- How to Print SOAP Message Request Body generated using GSOAP when calling service
- Big Number Subtraction in C
- Docker custom program stop
- GTK4 Windows Multiple File Choosing
- Cannot get lldb to read file input through redirect
- Modeling nested lists in C
- Linker and Memory map for shared memory in autosar embedded environment
- Why is only the numerator cast to float to obtain a float quotient while dividing two integers?
- $gcc problemMatcher doesn't show all errors or warnings
- What registers to save in the ARM C calling convention?
- What does ** do in C language?
- How to install pywin32 module in windows 7
- How to differentiate a Cypher clause from an SQL clause in C?
- How do I check if my executable is running for a service or for a normal program?
- How to fix a simple error in Atmel studio
- Given day, month, year calculate day in year
- Definition of int64_t
- Can we have multiple c files to define functions for one header file?
- Check if array is ASCII
- What does C or GCC do when implicit function declaration exists
- How can I programmatically find the CPU frequency with C
- Can I use a binary literal in C or C++?
- Want to Convert Integer to String without itoa function
- How to permanently configure VSCode to use cl.exe without launching it from the Developer Command Prompt?